We’re from the Government and We’re Here to Help

CISA, the Cybersecurity and Infrastructure Security Agency (I didn’t realize we had one of those) just published a list of practices that can lower an Office 365 customer’s Secure Score.  You can read their report here.

The CISA List of Risks

Here are the practices that the report highlighted.

• Multi-factor authentication (MFA) is disabled by default for administrators.
• Mailbox auditing is disabled by default.  (Note that this applies only to Office 365 installations that occurred before January of this year.)
• Password sync is enabled.  CISA listed this as a risk since a compromised user account might be able to laterally transfer into other services from Azure Active Directory (Azure AD).
• Use of Exchange Online authentication via legacy protocols (POP3, IMAP, SMTP).

CISA’s (and CGNET’s) Recommended Actions

What practices should Office 365 administrators follow to address these CISA security concerns?  Glad you asked.

Enable MFA for Admin Accounts

First, enable multi-factor authentication for all Office 365 administrator accounts.  You’ve heard us recommend this in the past, but it’s worth repeating.  A compromised administrator account can cause a great deal of damage to an organization.  So at least for administrators, the value of MFA is worth the added authentication work.

Turn on Mailbox Audit Logging (and Maybe More)

Second, turn on audit logging for Exchange mailboxes.  We regularly run administrator audit logs reports for one of our customers.  This customer has multiple administrators in various parts of the world.  It’s easy for one of these administrators to mistakenly modify a user’s Exchange mailbox configuration.  Running these audit log reports allows us to see if there any errors that need to be corrected or any suspicious behavior that needs to be investigated.

You might also turn on logging for all user mailboxes.  If this seems too intrusive or if you are realistic and realize that you don’t have time to audit user mailboxes, take this step instead.  Make sure that you set an alert for any time a user creates a rule that forwards their mail to an e-mail address outside your organization.  There are few situations where forwarding all a user’s mail to an outside address would be a legitimate action.

Password Synch is OK… if Your AD is Clean

We don’t believe that synchronizing passwords between a local AD and Azure AD adds to the security risk of an organization.  And we certainly don’t recommend disabling password sync (now called AD Connect) on security grounds.  We are seeing more customers migrate to an Azure AD only environment, which makes sense if it’s feasible to retire the local AD.

Check Those Authentication Protocols

Finally, check to see that your organization is not using legacy Exchange authentication protocols.  You can run a report from the Office 365 Admin console that will break out mailbox connections by authentication protocol.  Look for the ones using POP3, IMAP, or SMTP and figure out if you can migrate those users to Exchange authentication using the current Oauth (“modern authentication”) protocol.

It’s a little humorous that CISA just figured out that lots of organizations are moving to Office 365 and that lots of providers (like CGNET) are out there helping organizations make this move. Nevertheless, CISA’s observations and recommendations are useful to help protect your organization from being compromised.